Privacy Policy — GlyBeat

Last updated: April 2026 · Applies to: GlyBeat iOS app, GlyBeat Android app, and glybeat.com

GlyBeat is built on a simple principle: your health data belongs to you. We do not sell your personal data. We never will. Health information is Special Category data under UK GDPR and EU GDPR and is treated with the highest level of care throughout this app.

1. Who We Are

GlyBeat is a diabetes companion app available on iOS and Android. This policy covers the GlyBeat iOS app, GlyBeat Android app, and glybeat.com.

Data controller contact: Email us

2. What Data We Collect & Why

2.1 Account & Contact Data

Collected during onboarding and optionally thereafter:

Name — used to personalise your experience and communications. Transmitted securely to Formspree.
Email address (optional) — used to send app updates and newsletters. You can opt out at any time by contacting us.

2.2 Health Data — Stored On-Device Only

The following data is created by you within the app and stored only on your device. It is never sent to GlyBeat's servers:

Glucose readings entered manually
Food logs and diary entries
Medication records, doses, and adherence history
Exercise logs and workout history
HbA1c estimates (calculated on-device from your glucose data)
Zen AI memory file (your profile, goals, medications, and preferences — stored locally)

2.3 CGM Data via LibreLinkUp (Abbott)

If you connect an Abbott Libre continuous glucose monitor (CGM), GlyBeat stores your LibreLinkUp email address and password locally on your device. These credentials are used solely to retrieve your live glucose readings from Abbott's LibreLinkUp cloud service on your behalf.

GlyBeat does not transmit your LibreLinkUp credentials to its own servers. Your readings are fetched directly from Abbott's infrastructure and stored on-device only. Abbott's privacy policy governs data held in LibreLinkUp: abbott.com/privacy-policy.html

2.4 Device Health Platform Integration

GlyBeat can optionally read supplementary health data from your device's built-in health platform. This requires your explicit permission and the data does not leave your device.

iOS — Apple HealthKit: Glucose readings, steps, and activity data may be read from HealthKit with your permission. You can revoke access at any time in Settings > Privacy & Security > Health.
Android — Google Health Connect: Glucose readings, steps, and activity data may be read from Health Connect with your permission. You can revoke access at any time in your device's Health Connect settings.

2.5 AI Features — Zen, Sage & Food Photo Analyser

GlyBeat's AI features are powered by Anthropic's Claude API. The following data is transmitted to Anthropic's API solely for the purpose of generating a response and is not retained by GlyBeat after processing:

Zen & Sage conversations — the text content of your messages is sent to Anthropic to generate AI responses. Anthropic does not use API-submitted content to train their models without explicit consent.
Food Photo Analyser — when you photograph a meal, the image is sent to Anthropic's API to identify food items and estimate nutritional content. The image is processed in transit and not stored by GlyBeat after analysis.

Zen's personal memory of you (profile, medications, goals, triggers) is stored on-device only and is not sent to Anthropic. Only your active conversation messages are transmitted per session.

Anthropic's privacy policy: anthropic.com/privacy

2.6 Subscription & Billing Data

Subscriptions are managed by RevenueCat. GlyBeat does not store payment card details at any point. Billing is handled by your app store platform:

iOS: Apple App Store — Apple's privacy policy applies to payment processing.
Android: Google Play Store — Google's privacy policy applies to payment processing.

RevenueCat's privacy policy: revenuecat.com/privacy

2.7 Authentication & Account Data

User authentication and account management is handled by Supabase. Your account data (email address, user ID, and session tokens) is processed on Supabase's secure infrastructure.

Supabase's privacy policy: supabase.com/privacy

2.8 Food Barcode Lookups

When you scan a food barcode, GlyBeat queries the Open Food Facts public database to retrieve nutritional information. No personal data is shared with Open Food Facts during this process.

2.9 Usage Analytics

We collect anonymous crash reports and aggregated usage metrics to identify bugs and improve the app. This data cannot be used to identify you individually.

3. How We Use Your Data

To deliver app features: glucose tracking, food diary, medication reminders, exercise planner, AI chat
To personalise your Zen experience using your on-device memory file
To retrieve your CGM readings from LibreLinkUp on your behalf
To generate AI responses via Anthropic's Claude API
To analyse food photos via Anthropic's Claude API
To manage your subscription and account via RevenueCat and Supabase
To send service notifications and, if opted in, newsletters
To analyse anonymous usage patterns for app improvement

We will never use your health data for advertising and will never sell it to third parties.

4. Third-Party Services

Service	Purpose	Platform	Privacy Policy
Anthropic (Claude API)	AI responses for Zen, Sage, and Food Photo Analyser	Both	anthropic.com/privacy
Abbott (LibreLinkUp)	Retrieves live CGM glucose readings on your behalf	Both	abbott.com/privacy-policy.html
Apple HealthKit	Reads supplementary glucose, steps, and activity data	iOS only	apple.com/legal/privacy
Google Health Connect	Reads supplementary glucose, steps, and activity data	Android only	policies.google.com/privacy
RevenueCat	Subscription management and entitlement tracking	Both	revenuecat.com/privacy
Apple App Store	Subscription billing and payment processing	iOS only	apple.com/legal/privacy
Google Play Store	Subscription billing and payment processing	Android only	policies.google.com/privacy
Supabase	User authentication and account management	Both	supabase.com/privacy
Formspree	Stores name and email for personalised communications	Both	formspree.io/legal/privacy-policy
Open Food Facts	Food nutritional data for barcode scanning	Both	openfoodfacts.org/privacy

5. Data Storage & Security

On-Device Health Data: Your health data (glucose readings, food logs, medications, exercise, HbA1c estimates, and Zen memory) is stored exclusively on your device. It is never uploaded to GlyBeat's servers.

iOS: Data is stored using Apple's encrypted on-device storage, protected by your device passcode and Face ID / Touch ID.
Android: Data is stored in an encrypted local SQLite database, protected by Android's file-based encryption.

Account Data: Your name and email address are securely transmitted to and stored by Formspree and Supabase, both of which operate with industry-standard security controls.

LibreLinkUp Credentials: Your LibreLinkUp email and password are stored in your device's secure local storage only. They are never sent to GlyBeat's own servers.

6. Data Retention

On-device health data — retained until you delete the app or clear app data from your device settings.
Account and contact data (Supabase / Formspree) — retained while your account is active, then deleted within 30 days of a verified deletion request.
AI conversation data — not retained by GlyBeat after the session. Subject to Anthropic's own data retention policy.
Food photos — not stored by GlyBeat after the AI analysis is complete.
Subscription data — retained by RevenueCat per their own policy for as long as required for billing and dispute resolution.

7. Your Rights (UK & EU GDPR)

To exercise any of these rights, contact us by email. We will respond within 30 days.

Access — request a copy of the personal data we hold about you.
Correction — ask us to correct inaccurate or incomplete data.
Erasure — ask us to delete your personal data ("right to be forgotten").
Restriction — ask us to limit how we process your data in certain circumstances.
Portability — receive your data in a portable format to transfer elsewhere.
Withdraw Consent — withdraw consent at any time without affecting prior processing.
Object — object to processing based on legitimate interests.
Complaint — lodge a complaint with the ICO (UK) or your national data authority (EU).

8. Legal Basis for Processing

Explicit consent — for processing Special Category health data and sending marketing communications.
Contract performance — to deliver the features you have subscribed to or signed up for.
Legitimate interests — for anonymous analytics that improve the app, where those interests are not overridden by your rights.

9. Children's Privacy

GlyBeat is not intended for use by anyone under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Medical Disclaimer

GlyBeat is a general wellness and self-management tool. It is not a medical device, does not provide medical diagnoses, and does not give clinical advice.

All AI-generated content (from Zen, Sage, the Food Photo Analyser, and the Exercise Planner) is informational and educational only. All HbA1c figures displayed are estimates based on your logged glucose data and are never diagnostic.

GlyBeat will never recommend specific insulin doses or changes to prescribed medications. Always consult your diabetes healthcare team before making any changes to your treatment or management plan.

GlyBeat is classified as general wellness software and is not regulated as a medical device by the MHRA, FDA, or any other regulatory body.

11. Policy Updates

We may update this privacy policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For significant changes, we will notify you by email (if provided) or via an in-app notice. Continued use of GlyBeat after an update constitutes acceptance of the revised policy.

12. Contact

Questions about this policy or your data?

GlyBeat
Email: Email us
Website: glybeat.com

We aim to respond to all privacy enquiries within 30 days.